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(54) Microprocessor with program and data protection function under multi-task environment 


(57) In a microprocessor, a program key for decrypt- 
ing a program and a data key for encrypting/decrypting 
data processed by the program are handled as crypto- 
graphically inseparable pair inside the microprocessor, 
so that it becomes possible for the microprocessor to 


protect processes that actually execute the program, 
without an intervention of the operating system, and it 
becomes possible to conceal secret information of the 
program not only from the other user program but also 
from the operating system. 
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Description 

BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

[0001] The present invention relates to a microproc- 
essor for supporting a multi-task program execution en- 
vironment and a data protection method for this micro- 
processor. 

DESCRIPTION OF THE RELATED ART 

[0002] There are demands for a microprocessor that 
has a protection function at a time of executing a pro- 
gram in a computer system. In the currently available 
processors, a protection function in the virtual memory 
management and a mechanism for access limitation 
with respect to peripheral input/output devices are con- 
sidered indispensable in order to secure the safety of 
the computer system that provides the multi-task exe- 
cution environment. 

[0003] Moreover, in recent years, a group of programs 
that themselves should be protected are becoming an 
important protection target in view of the protection 
mechanism. For example, a program that is protected 
by the copyright is not permitted to be executed in a style 
that violates the copyright. There is also a program that 
handles data to be concealed from the third party. If the 
program that handles data to be concealed and its ex- 
ecution state have a possibility of being analyzed, the 
secrecy of data cannot be guaranteed, so that the strict 
protection will be required. 

[0004] In order to execute these programs safely, 
there are systems for guaranteeing the safety crypto- 
graphically that have been proposed and realized in 
practice. One of them is the tamper resistant software 
(David Aucsmith et al.; "Tamper Resistant Software: An 
implimentation", Proceedings of the 1996 Intel Software 
Developer's Conference). This is a technique in which 
a part or a whole of the program is encrypted and then 
distributed and stored, and the program and data are 
decrypted and executed immediately before utilizing the 
program, and the program is re-encrypted after finishing 
the program if necessary. 

[0005] However, the tamper resistant software tech- 
nique only makes the analysis by the analyzing tools 
such as a reverse assembler and a debugger more com- 
plicated basically. As long as the program is executable 
by the processor, it is always possible to analyze the 
program execution process by the sequential analysis 
that follows the program execution from a start of the 
program. In other words, although it is safe in a process 
of distributing the program, it has been impossible to 
conceal the program and data from the third party who 
has means for accessing the computer system that ex- 
ecutes the program once the program is executed. 
[0006] There are also techniques for concealing the 


decrypted program from an external of the microproc- 
essor by providing a built-in encryption/decryption 
processing function in the microporcessor, rather than 
carrying out the encryption/decryption by software, as 

5 disclosed in U.S. Patent No. 4,847,902 (Hampson), U. 
S. Patent No. 5,224,166 (hartman), U.S. Patent No. 
5,825,878 (Takahashi), and Japanese Patent Applica- 
tion Laid Open No. 11-282756 (1999). 
[0007] What is characteristic to the scheme for pro- 

10 viding the built-in encryption/decryption processing 
function in the microprocessor is that the microproces- 
sor can maintain the secret data in a form that is phys- 
ically concealed from an external. Namely, the secret 
data are maintained in such a form that the secret can- 

15 not be revealed even by the destructive inspection of 
the microprocessor. This can be utilized as follows. The 
secret key of the public key cryptosystem is provided as 
a built-in secret data in the microprocessor in advance. 
The program is encrypted by some encryption key (for 

20 which the secret key cryptosystem is used in general) 
by the program vendor, for example, and distributed to 
the microprocessor. At this point, the encryption key is 
further encrypted by the public key corresponding to the 
secret key of the microprocessor and attached to the 

25 program. 

[0008] By this mechanism, it is possible to provide the 
program itself in a safe form, such that its execution 
process cannot be recovered by the analytic method 
such as the reverse assembling. Also, it is cryptograph- 

30 icaiiy difficult to alter the program into an intended form 
without knowing the encryption key of the program. 
[0009] However, these microprocessors for executing 
encrypted programs have been associated with a seri- 
ous problem. Namely, these microprocessors are usu- 

35 ally used under the operating system (OS) for realizing 
the multi-task environment. In the multi-task environ- 
ment, a plurality of programs are executed virtually si- 
multaneously by the time division of the microprocessor 
using the operation called context switching. In the proc- 

40 ess of this context switching, the OS can read and write 
all the execution states of the microprocessor. Conse- 
quently, by analyzing the behavior of the OS or by alter- 
ing the OS itself, it becomes possible to analyze all the 
execution states of the program even if it is supposed 

45 to be protected by the encryption. 

[001 0] The prior art provides a partial resolution of this 
problem. For example, Japanese Patent Application 
Laid Open No. 11-282756 (1999) discloses a technique 
for providing a secret memory in a processor in order to 

50 maintain the secret data of the application. In this exam- 
ple, a predetermined reference value is necessary in or- 
der to access data in the secret memory. However, there 
is no teaching regarding how to protect the reference 
value for obtaining the access right with respect to the 

55 secret data, especially from the operating system, when 
a plurality of programs are running on the same proces- 
sor. 

[0011] Also, Japanese Patent Application No. 
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2000-135010 discloses a technique for carrying out the 
context switching by hardware such that the contents of 
the register files at a time of the context switching are 
encrypted and temporarily saved in a memory, so as to 
conceal the execution states of the program from the 5 
operating system. In this way, it becomes cryptograph- 
ically difficult to recover the secret data by analyzing the 
execution states of the processor that are saved in the 
memory, so that it becomes possible to guarantee the 
safety of the encrypted program. However, this tech- n 
nique is associated with the following problems. 
[0012] The first problem is that the target of protection 
by the encryption is limited only to the register files. 
There can be cases where the microporcessor internally 
has many memories or a large capacity memory be- n 
sides the register files, and it such cases it is expected 
that the processing load due to the context switching be- 
comes heavier in proportion to the capacity. However, 
Japanese Patent Application No. 2000-135010 disclos- 
es absolutely no teaching regarding how to protect 20 
these internal memories and how to reduce the process- 
ing load due to the context switching. 
[0013] For example, in the case where the microproc- 
essor has a large capacity internal memory, the memory 
cannot be protected entirely by the prior art so that the 25 
leakage of the protected data is unavoidable. Also, if an 
attempt to protect it entirely is made, the performance 
degradation due to the encryption processing would be 
caused because of the large capacity, so that it would 
give rise to a severe limitation in practice. 30 
[0014] As a known method for reducing the process- 
ing load due to the context switching in a processor hav- 
ing a large capacity cache memory, there is a method 
for including an identifier for identifying a process that 
owns the cached data into a tag to be used in judging 35 
hit/miss at an associative memory unit of the cache (this 
method will be referred to as a process tag scheme 
hereafter). 

[0015] However, it is difficult to apply this method 
straightforwardly, because the process is a concept 40 
used by the operating system in order to treat the proc- 
essor virtually and it is difficult for the processor itself to 
handle the identifier for identifying the process. Also, 
even if the processor is provided with a mechanism for 
protecting access to data by using an identifier for iden- 45 
tifying the process, as long as the process identifier is 
under the management of the operating system, nothing 
can be done against the leakage of the secret by the 
alteration of the operating system. 

[001 6] The second problem is that the context switch- 50 
ing is fixedly done by hardware and all registers are to 
be saved or recovered so that there is a lack of flexibility. 
For example, in the case of the frequently occurring ex- 
ception processing, it is preferable to realize the optimi- 
zation to save or recover only a part of the register files 55 
but a technique disclosed in Japanese Patent Applica- 
tion No. 2000-1 3501 0 saves or recovers all the contents 
of the register files collectively. 


BRIEF SUMMARY OF THE INVENTION 

[001 7] It is therefore an object of the present invention 
to provide a microporcessor which is capable of guar- 
anteeing both the secrecy of the program itself and the 
secrecy of data handled by the program cryptographi- 
cally, and reducing the processing load due to the con- 
text switching under the multi-task environment. 
[0018] It is another object of the present invention to 
provide a microprocessor which is capable of realizing 
the optimization of protection target processing in order 
to enable saving or recovery of only a necessary part of 
data under the multi-task environment. 
[0019] According to one aspect of the present inven- 
tion there is provided a microprocessor, comprising: an 
instruction decryption processing unit configured to de- 
crypt a program in an encrypted form by using a first 
encryption key; a data encryption/decryption processing 
unit configured to encrypt/decrypt data processed by the 
program in a decrypted form by using a second encryp- 
tion key; a key pair management unit connected to the 
instruction decryption processing unit and the data en- 
cryption/decryption processing unit, having a first mem- 
ory region for storing the first encryption key and the sec- 
ond encryption key in correspondence as a key pair; and 
a second memory region for storing an identifier for iden- 
tifying the key pair, along with related data of the pro- 
gram. 

[0020] According to another aspect of the present in- 
vention there is provided a data protection method for a 
microprocessor, the data protection method comprising: 
decrypting a program in an encrypted form by using a 
first encryption key; generating a second encryption key 
corresponding to the first encryption key, for encrypting/ 
decrypting data processed by the program in a decrypt- 
ed form; storing the first encryption key and the second 
encryption key in correspondence as a key pair; giving 
an identifier for identifying the key pair, to the key pair; 
and reading out the second encryption key according to 
the identifier, encrypting the data by using the second 
encryption key and saving the data in an encrypted form 
to an external memory when an exception occurs during 
an execution of the program. 

[0021] The present invention can be implemented ei- 
ther in hardware or on software in a processor. Further 
the present invention can be implemented in a combi- 
nation of hardware and software. The present invention 
can also be implemented by a single processing appa- 
ratus or a distributed network of processing apparatus- 
es. 

[0022] Since the present invention can be implement 
ed by software, the present invention encompasses 
computer code provided to a processor on any suitable 
carrier medium. The carrier medium can comprise any 
storage medium such as a floppy disk, a CD ROM, a 
magnetic device or a programmable memory device, or 
any transient medium such as any signal e.g. an elec- 
trical, optical or microwave signal. 
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[0023] Other features and advantages of the present 
invention will become apparent from the following de- 
scription taken in conjunction with the accompanying 
drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0024] Fig. t is a block diagram showing an exempla- 
ry configuration of a microprocessor according to the 
first embodiment of the present invention. 
[0025] Fig. 2 is a diagram showing a flow of process- 
ing for encrypting and saving data to be carried out by 
the microprocessor of Fig. 1 . 

[0026] Fig. 3 is a diagram showing a flow of process- 
ing for recovering saved data to be carried out by the 
microprocessor of Fig. 1 . 

[0027] Fig. 4 is a block diagram showing an exempla- 
ry detailed configuration of a processor core in the mi- 
croprocessor of Fig. 1 . 

[0028] Fig. 5 is a block diagram showing an exempla- 
ry detailed configuration of an arithmetic logical opera- 
tion unit in the processor core of Fig. 4. 
[0029] Fig. 6 is a block diagram showing an exempla- 
ry detailed configuration of a system register in the proc- 
essor core of Fig. 4. 

[0030] Fig. 7 is a block diagram showing an exempla- 
ry detailed configuration of an instruction cache in the 
microprocessor of Fig. 1. 

[0031] Fig. 8 is a block diagram showing an exempla- 
ry detailed configuration of a data cache in the micro- 
processor of Fig. 1 . 

[0032] Fig. 9 is a block diagram showing an exempla- 
ry detailed configuration of an instruction decryption 
processing unit in the microprocessor of Fig. 1 . 
[0033] Fig. 10 is a block diagram showing an exem- 
plary detailed configuration of a data encryption/decryp- 
tion processing unit in the microprocessor of Fig. 1 . 
[0034] Fig. 11 is a block diagram showing an exem- 
plary detailed configuration of a key pair management 
unit in the microprocessor of Fig. 1. 
[0035] Fig. 12 is a flow chart showing a processing to 
be carried out by the microprocessor of Fig. 1 at a time 
of interruption occurrence. 

[0036] Fig. 1 3 is a flow chart showing details of an ex- 
ception processing routine in the processing shown in 
Fig. 12. 

[0037] Fig. 1 4 is a flow chart showing details of a con- 
text recovery step in the processing shown in Fig. 12. 
[0038] Fig. 15 is a block diagram showing an exem- 
plary detailed configuration of a key pair table in a mi- 
croprocessor according to the second embodiment of 
the present invention. 

DETAILED DESCRIPTION OF THE INVENTION 

[0039] Referring now to Fig. 1 to Fig. 14, the first em- 
bodiment of a microprocessor according to the present 
invention will be described in detail. In the present in- 


vention, it is presupposed that the microprocessor exe- 
cutes the encrypted program under the multi-task envi- 
ronment. 

[0040] Fig. 1 shows a functional configuration of the 

5 microprocessor 101 according to the first embodiment. 
The microprocessor 101 has a processor core 201 for 
executing the program, an instruction cache 301 for 
temporarily storing instruction sequences of the pro- 
gram, a data cache 401 for temporarily storing data 

10 processing by the program, an instruction decryption 
processing unit 501 for decrypting the encrypted pro- 
gram at a time of execution and supplying the decrypted 
program to the processor core 201, a data encryption/ 
decryption processing unit 601 for encrypting or de- 

15 crypting data executed by the decrypted program, and 
a key pair management unit 701 . 
[0041 ] For the decryption of the encrypted program at 
the instruction decryption processing unit 501, a pro- 
gram key given by the public key cryptosystem is used. 

20 Also, for the encryption/decryption of the data proc- 
essed by the program, a data key generated in corre- 
spondence to the program key is used. One feature of 
the first embodiment is that the key pair management 
unit 701 has a key pair table for storing these program 

25 key and data key in one-to-one correspondence as a 
pair, as will be described in detail below. 
[0042] Also, the processor core 201 includes a sys- 
tem register 21 0 and a register file 230. The system reg- 
ister 21 0 indicates a tag (identifier) for identifying the key 

30 pair for the currently executed program. The register file 
230 stores the program data or the processed data 
along with a tag of the corresponding key pair. These 
functions will be described in further detail below. 
[0043] The microprocessor 101 also has a processor 

35 bus 102 and an external bus interface 103, through 
which the microprocessor 101 is connected to a memory 
or peripheral devices provided outside of the microproc- 
essor 101. 

[0044] The processor core 201 , the instruction cache 
40 301 and the data cache 401 are located within a pro- 
tected region 104 indicated by a dashed line in Fig. 1. 
The protected region 104 is a region protected from the 
external or the OS, and data are handled in plaintext 
forms within this region. On the other hand, outside the 
45 protected region 104, data to be concealed are always 
encrypted. When the encrypted data is read from out- 
side of the protected region 104 into inside of the pro- 
tected region 104, it is decrypted by the instruction de- 
cryption processing unit 501 when it is to be read as in- 
50 struction, or it is decrypted by the data encryption/de- 
cryption processing unit 601 when it is to be read as da- 
ta. The program key and the data key to be used for the 
decryption are supplied from the key pair management 
unit 701. 

55 [0045] As mentioned above, one feature of the first 
embodiment is that the decrypted data in plaintext form 
is attached with a tag for identifying the key pair used in 
the decryption processing as an attribute indicating that 
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the cryptographic operation was applied, and stored in 
the register file 230 inside the processor core 201 . 
[0046] Fig. 2 and Fig. 3 show an outline of the 
processing by the microprocessor 101 . 
[0047] First, as shown in Fig. 2, at the step S21, the 
instruction sequence of the encrypted program stored 
in the external memory 901 outside the microprocessor 
101 is decrypted by using the program key of the key 
pair (which will be referred to as an effective key pair 
hereafter) that is effective for the currently executed pro- 
gram. The current effective key pair is a key pair whose 
tag is indicated by the system register 210 so that it can 
be ascertained according to this tag. In the example of 
Fig. 2, the tag value of the effective key pair is #1. Ac- 
cording to this tag value, the program key corresponding 
to the tag #1 is read out from the key pair table 710 of 
the key pair management unit 701 . 
[0048] Next, at the step S23, the program is executed 
according to the decrypted instruction sequence which 
is now in the plaintext form. The data obtained as a result 
of the execution of the program, i.e., the operational ma- 
nipulation, are attached with a key pair tag and stored 
into the register file 230. 

[0049] Next, at the step S25, the data in the register 
file 230 are transferred to the data cache 401. 
[0050] Finally, at the step S27, the data key is read 
out from the key pair table 71 0 according to the key pair 
tag attached to the data, the data are encrypted by using 
the data key, and the encrypted data are transferred 
(saved) to the external memory. 
[0051] Fig. 3 shows the recovery processing for the 
saved data. 

[0052] First, the key pair tag to be used for the recov- 
ery is specified. Then, at the step S31, the encrypted 
data are read from the external memory 901 into the mi- 
croprocessor 1 01 , the data key specified by the key pair 
tag is read out from the key pair table 71 0, the encrypted 
data are decrypted by using the data key, and the de- 
crypted data are cached into the data cache 401 within 
the protected region 104. 

[0053] Next, at the step S33, the plaintext data on the 
data cache 401 are transferred to the register file 230. 
Then, at the step S35, the operational manipulation with 
respect to the data on the register file 230 is resumed. 
[0054] Fig. 4 to Fig. 11 show detailed configurations 
of constituent elements of the microprocessor 101 that 
carries out the operation as described above. With ref- 
erences to Fig. 4 to Fig. 11, the configuration of each 
constituent element and the protection function based 
on the key pair tag will now be described in detail. 
[0055] Fig. 4 shows an exemplary detailed configura- 
tion of the processor core 201. In the following, an ex- 
emplary case of adding modifications according to the 
present invention to an architecture of the RISC type mi- 
croprocessor manufactured by the MIPS Technologies, 
Inc. will be described. More specifically, in the following 
example, the processor pipeline structure is based on 
the R3000 type of the MIPS Technologies, Inc., and the 


instruction set is based on the MIPS-I or MIPS-IV in- 
struction set of the MIPS Technologies, Inc., but the ap- 
plicability of the present invention is not limited to the 
processor of the MIPS Technologies, Inc. 
5 [0056] Note that the five pipeline stages I F (instruction 
fetch), RF (register read), EX (execution), MEM (mem- 
ory access) and WB (write back) of the processor core 
201 of Fig. 4 are indicated at a leftmost section of Fig. 4. 
[0057] The processor core 201 contains the system 
w register 21 0, an instruction fetch decoder 200, the reg- 
ister file 230, an operation unit 250, and a memory ac- 
cess unit 260. 

[0058] The system register 210 is based on the sys- 
tem register corresponding to CPO of MIPS R3000, to 

15 which the virtual address management function and the 
exception processing function are added, and an effec- 
tive key pair tag register 211 for storing a tag of the ef- 
fective key pair which specifies the currently executed 
process is provided. Namely, the effective key pair tag 

20 register 211 stores a tag indicating the key pair to be 
used for the encryption processing of the currently exe- 
cuted effective program and the data processed by this 
program. 

[0059] The instruction fetch decoder 220 contains a 

25 program counter (PC) 221, an instruction buffer 222, 
and an instruction execution control unit 223. Under the 
control of the instruction execution control unit 223, the 
instruction is fetched to the instruction buffer 222 from 
an address indicated by the program counter 221, and 

30 the signal (now shown) for controlling each data path is 
generated by decoding the fetched instruction. 
[0060] In the first embodiment, not just an instruction 
address but also a value of the effective key pair tag 
register 211 that indicates the currently executed proc- 

35 ess are sent as parameters of a read request with re- 
spect to the instruction cache 301. 
[0061] Each register 231 in the register file 230 has a 
register data portion 231-1 as well as a register tag por- 
tion 231-2 that is characteristic to the present invention. 

40 The register tag portion 231-2 stores the key pair tag 
that indicates the protection attribute based on the en- 
cryption of data stored in that register. 
[0062] At the RF (register read) phase of the instruc- 
tion execution pipeline, the content of the register data 

45 portion 231-1 is put on an operand bus 240, and the con- 
tent of the register tag portion 23 1 -2 is put on an operand 
tag bus 241 . 

[0063] An arithmetic logical operation unit 250 corre- 
sponds to the EX phase of the instruction execution 

50 pipeline. In the first embodiment, the arithmetic logical 
operation unit 250 has a tag judgement unit 252 forjudg- 
ing the operand of the operation in addition to an ordi- 
nary operator (operation data path) 251. 
[0064] As shown in Fig. 5, the tag judgement unit 252 

55 has a function for determining whether the execution of 
the operation is permitted or not according to at least 
three values including a type of the operation, a value 
of the tag attached to the operand of the operation, and 
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the effective key pair tag. The type of operation is en- 
tered from the instruction execution control unit 223 into 
the tag judgement unit 252, and the tag value is entered 
from the tag portion 231-2 of the register file 230. The 
current effective key pair tag is entered from the effec- 
tive key pair tag register 211 of the system register 210. 
When the execution is judged as not permitted by the 
tag judgement unit 252, the processor core 201 will 
cause an exception that cannot be resumed, and that 
instruction will be aborted. When the execution is judged 
as permitted by the tag judgement unit 252 and if the 
execution result for that instruction exists, data of that 
execution result will be put on a result bus 280 and a 
key pair tag of that execution result will be put on a result 
tag bus 281. 

[0065] The memory access unit 260 corresponds to 
the EX/MEM phase of the instruction execution pipeline. 
In the first embodiment, the memory access unit 260 has 
a data transfer tag judgement unit 262 in addition to an 
ordinary address calculation unit 261 . 
[0066] The memory access unit 260 outputs not just 
a data address obtained by the address calculation unit 
261 but also either the tag value attached to the operand 
or the effective key pair tag value as parameters of a 
read/write request with respect to the data cache 401 . 
A tag judgement unit 262 has a function for determining 
whether the execution of the transfer is permitted or not 
according to at least four values including a data transfer 
source, a data transfer destination, a value of the tag 
attached to the data to be transferred, and the effective 
key pair tag. When the execution is judged as not per- 
mitted by the tag judgement unit 262, the processor core 
201 will cause an exception that cannot be resumed, 
and that instruction will be aborted. When the execution 
is judged as permitted by the tag judgement unit 262 
and if the execution result for that instruction exists, data 
of that execution result will be put on the result bus 280 
and a key pair tag of that execution result will be put on 
the result tag bus 281 . 

[0067] A key pair management unit interface 270 for 
controlling a key pair management unit 701 to be de- 
scribed below is unique to the present invention. 
[0068] At the WB stage of the instruction execution 
pipeline, the data on the result bus 280 and the key pair 
tag on the result tag bus 28 1 are written back to the reg- 
ister file 230 if necessary. 

[0069] Fig. 6 shows a configuration of the system reg- 
ister 21 0 for indicating the current effective key pair tag. 
The effective key pair tag register 211 indicates a tag of 
the effective key pair of the currently executed program. 
[0070] In the first embodiment, two tag values among 
the key pair tag values are reserved for the special pur- 
poses. One is a tag value for indicating that the encryp- 
tion processing should not be carried out (a tag with this 
tag value will be referred to as a zero tag). At the instruc- 
tion decryption processing unit 501 and the data encryp- 
tion/decryption processing unit 601 , data (or instruction) 
are transferred without carrying out the encryption op- 


eration when the zero tag (tag-0) is indicated as the key 
pair tag. Another one is a tag value (tag-K) that is re- 
served for use when the kernel mode is selected as the 
operation mode of the processor. For the key pair cor- 
s responding to this tag value, the program key and the 
data key of a process to be executed in the kernel mode 
(which is the operating system in the ordinary computer 
system) are registered. 

[0071] The effective key pair tag register 211 has a 
10 kernel mode key pair tag register 211-1 for storing the 
key pair tag in the kernel mode and a user mode key 
pair tag register 211-2 for storing the key pair tag in the 
user mode, either one of which will be selected accord- 
ing to the effective mode of the processor at a time to 

15 output the key pair tag (effective key pair tag) that is ef- 
fective in the following processing. 
[0072] Fig. 7 shows an exemplary detailed configura- 
tion of the instruction cache 301. The instruction cache 
301 comprises arrays of a plurality of instruction cache 

20 ijnes 302. The cache line of the present invention carries 
out the search of an address in the cache, and each in- 
struction cache line has a key pair tag region 302-1 for 
storing the key pair tag that indicates the protection at- 
tribute of the program data cached in that line, i.e., the 

25 program key to be applied to the cached program data, 
which is the characteristic feature of the present inven- 
tion. The size of the key pair tag region 302-1 can be as 
many number of bits that can index ail the entries of the 
key pair table to be described below. For example, in 

30 the case of using the key pair tag with 64 entries, the 
key pair tag region 302-1 with 6 bits size is sufficient. 
Note that each cache line is also provided with regions 
for indicating address that indicates the location of the 
program data in the external memory and its state. 

35 [0073] Fig. 8 shows an exemplary detailed configura- 
tion of the data cache 401. The instruction cache 401 
comprises arrays of a plurality of data cache lines 402. 
Each data cache line also has a key pair tag region 
402-1 for storing the key pair tag that indicates the pro- 

40 tection attribute of the processed data cached in that 
line, i.e., the data key to be applied to the cached proc- 
essed data. Note that each cache line is also provided 
with regions for indicating address in the external mem- 
ory and its state similarly as the instruction cache 301. 

45 [0074] Fig. 9 shows an exemplary detailed configura- 
tion of the instruction decryption processing unit 501 and 
its operation. The instruction decryption processing unit 
501 comprises a command data register 502 for tempo- 
rarily storing the program data that is the decryption 

50 processing target and its encryption key. a decryption 
unit 503 for carrying out the decryption using the secret 
key, and a control unit 504 for controlling the command 
data register 502 and the decryption unit 503. 
[0075] The instruction decryption processing unit 501 

55 first receives a read request from the instruction cache 
301. The parameters to be used at this point are the ad- 
dress in the external memory and the key pair tag for 
specifying the encryption key (program key) to be ap- 
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plied to the read out program data. Then, a read request 
is issued to the external memory by using the address 
as a parameter. Also, a program key read request is is- 
sued to the key pair management unit 701 by using the 
key pair tag as a parameter. 

[0076] The encrypted program data from the external 
memory and the program key from the key pair man- 
agement unit 701 that are sent in response to these read 
requests are stored into the command data register 502. 
The decryption unit 503 decrypts the encrypted program 
data by applying the program key to the encrypted pro- 
gram data on the command data register 502. When the 
decryption is completed, the plaintext data are outputted 
to the instruction cache 301 . 

[0077] Fig. 10 shows an exemplary detailed configu- 
ration of the data encryption/decryption processing unit 

601 and its operation. The data encryption/decryption 
processing unit 601 comprises a command data register 

602 for temporarily storing data in the plaintext form or 
the encrypted form that are processed by the program, 
an encryption/decryption unit 603 for carrying out the 
encryption/decryption using the secret key, and a con- 
trol unit 604 for controlling the command data register 
602 and the encryption/decryption unit 603. 

[0078] The data encryption/decryption processing 
unit 601 first receives a read/write request from the data 
cache 401. The read request is issued after the inter- 
ruption processing in the case of recovering the data 
that have been saved into the external memory tempo- 
rarily at a time of the occurrence of the exception due to 
the interruption, for example. The write request is issued 
at a time of the occurrence of the interruption in the case 
of saving the data processed up to that point into the 
external memory by encrypting them in order to protect 
the data. 

[0079] The parameters of the read request are the ad- 
dress in the external memory and the key pair tag for 
specifying the encryption key to be applied to the read 
out data. 

[0080] First, a read request is issued to the external 
memory by using the address as a parameter. Also, a 
data key read request is issued to the key pair manage- 
ment unit 701 by using the key pair tag as a parameter. 
The processed data in the encrypted form from the ex- 
ternal memory and the key data from the key pair man- 
agement unit 701 that are sent in response to these read 
requests are stored into the command data register 602. 
The encryption/decryption unit 603 decrypts the en- 
crypted data by applying the data key to the encrypted 
data on the command data register 602. When the de- 
cryption is completed, the plaintext data are outputted 
to the data cache 401. 

[0081] On the other hand, the parameters of the write 
request are the address in the external memory to which 
the processed data should be written (i.e., to which the 
processed data should be temporarily saved), the data 
to be transferred, and the key pair tag for specifying the 
encryption key to be applied to the data. 


[0082] First, a data key read request is issued to the 
key pair management unit 701 by using the key pair tag 
as a parameter. Then, the encryption/decryption unit 
603 encrypts the plaintext data by applying by applying 

5 the data key to the plaintext data on the command data 
register 602. When the encryption is completed, the en- 
crypted data are outputted to the external memory. 
[0083] Fig. 11 shows an exemplary detailed configu- 
ration of the key pair management unit 701 . The key pair 

10 management unit 701 comprises a processor core in- 
terface 702, an instruction decryption processing unit in- 
terface 703, a data encryption/decryption processing 
unit interface 704, the key pair table 710, and a key pair 
control unit 720. 

*5 [0084] The key pair table 710 has a plurality of key 
pair entries 711 . Each key pair comprises a program key 
711-1 and a data key 711-2. The key pair of the present 
invention is an index of the key pair table 71 0 formed by 
these key pair arrays. The operations of he key pair table 

20 710 include the following three reading operations and 
one writing operation. 

(1 ) Program key reading: 

25 [0085] This is the operation to be carried out between 
the instruction decryption processing unit 501 and the 
key pair management unit 701. This is the reading op- 
eration through a port connected to the instruction de- 
cryption processing unit interface 703, in which the pro- 

30 gram key of the key pair specified by the key pair tag (i. 
e., index) in the register of the instruction decryption 
processing unit 501 is read out and outputted. 

(2) Data key reading: 

35 

[0086] This is the operation to be carried out between 
the data encryption/decryption processing unit 601 and 
the key pair management unit 701. This is the reading 
operation through a port connected to the data encryp- 
40 tion/decryption processing unit interface 704, in which 
the data key of the key pair specified by the key pair tag 
(i.e., index) in the register of the data encryption/decryp- 
tion processing unit 601 is read out and outputted. 

45 (3) Key pair reading: 

[0087] This is the operation to be carried out between 
the processor core 201 and the key pair management 
unit 701. This is the reading operation through a port 
50 connected to the key pair control unit 720, in which both 
the program key and the data key of the key pair spec- 
ified by the key pair tag are read out and outputted. 

(4) Key pair writing: 

55 

[0088] This is the writing operation through a port con- 
nected to the key pair control unit 720, in which the pro- 
gram key and the data key given as parameters are 
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stored as the key pair on the key pair table 710 specified 
by the index. 

[0089] The key pair control unit 720 of the key pair 
management unit 701 carries out the following three op- 
erations according to requests from the processor core 
201. 

(1) New key pair registration: 

[0090] In the case of executing a new encrypted pro- 
gram, there is a need to newly register a pair of the pro- 
gram key for decrypting that encrypted program and the 
data key for encrypting/decrypting the data processed 
by that program. The key pair control unit 720 receives 
the program key data obtained by encrypting the pro- 
gram key by using the public key of the processor and 
the key pair tag to be used for this program key from the 
processor core 201 . The program key data are stored 
into a key registration register 721, while the key pair 
tag is used as an index to the key pair table 710. 
[0091] A public key encryption processing unit 722 
decrypts the key data on the key registration register 
721 by using the secret key of the processor, and stores 
the encrypted key data into a program key storage re- 
gion 724-1 of a key pair register 724. Also, a data key 
generation unit 723 generates the data key by using ar- 
bitrary means such as a random number generation 
function, and stores the generated data key into a data 
key storage region 724-2 of the key pair register 724. 
When these two keys are stored into the key pair register 
724, the key pair control unit 720 registers a new key 
pair into the key pair table 710 according to the key pair 
writing operation of the key pair table 710. 

(2) Existing key pair reading: 

[0092] The key pair control unit 720 receives a nec- 
essary key pair tag from the processor core 201 . This 
key pair tag will be used as an index to the key pair table 
710. The key pair table 710 reads out the key pair spec- 
ified by the index by its reading operation, and stores 
the result into the key pair register 724 of the key pair 
control unit 720. A key pair encryption processing unit 
725 encrypts the program key 724-1 and the data key 
724-2 in the plaintext form stored in the key pair register 
724 as a single data by using the secret key of the proc- 
essor, and stores the result into an encrypted key pair 
register 726. The key pair control unit 720 outputs data 
on the encrypted key pair register 726 to the processor 
core 201. 

(3) Existing key pair writing: 

[0093] The key pair control unit 720 receives the key 
pair tag and the key pair data in which the key pair is 
encrypted by the secret key of the processor from the 
processor core 201. The key pair data are stored into 
the encrypted key pair register 726, while the key pair 


tag is used as an index to the key pair table 710. The 
key pair encryption processing unit 725 decrypts data 
on the encrypted key pair register 726 by using the se- 
cret key of the processor. The resulting plaintext data 
5 are stored into the key pair register 724 as the program 
key and the data key. The key pair table 710 writes the 
key pair on the key pair register 724 by its writing oper- 
ation. 

[0094] Now, in the microprocessor of the present in- 
fo vention, a plurality of memories for storing data internal- 
ly exist. In addition, there are also external memories to 
be accessed through the external bus interface 103. 
Among them, the memories provided inside the micro- 
processor which have regions for storing the key pair 
15 tag (such as the system register 210, the register file 
230. etc.) will be referred to as "internal memories". 
Among the internal memories, those memories which 
are cache memories (such as the instruction cache 301 , 
the data cache 401 , etc.) will be referred to as "internal 
20 cache memories". On the other hand, memories provid- 
ed outside the processor or memories which are provid- 
ed inside the processor but which have no regions for 
storing the key pair tag will be referred to as "external 
memories". 

25 [0095] In the following, details of the data transfers 
among these memories will be described, the data 
transfers among memories can be classified into four 
cases depending on whether the transfer source and the 
transfer destination are internal or external, including (i) 

30 from an internal memory to an internal memory, (ii) from 
an internal memory to an external memory, (iii) from an 
external memory to an internal memory, and (iv) from 
an external memory to an external memory. 
[0096] Also, in this embodiment, the RISC type proc- 

35 essor is presupposed so that the data transfers can also 
be classified according to the causes of the data trans- 
fers as follows. Here a way of specifying the key pair tag 
that the transfer destination should have at a time of the 
transfer is also indicated. 

40 

(1 ) Data transfer caused by the instruction fetch by the 
instruction fetch decoder 220 of the processor core 201 : 

[0097] The key pair tag of the transfer destination in 
45 this case is the tag of the effective key pair of the cur- 
rently executed program. 

(2) Data transfer caused by the execution of a load 
instruction or a store instruction at the memory access 

50 unit 260 of the processor core 201 : 

[0098] The key pair tag of the transfer destination in 
this case is the tag of the effective key pair of the cur- 
rently executed program. However, in the present inven- 
55 tion, tag specifying load instruction and tag specifying 
store instruction that specify the key pair tag that the 
transfer destination should have as an operand of the 
instruction are added to the load instruction and the 
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store instruction of MIPS. The instruction format and the 
way of specifying the operand for these instructions are 
arbitrary. 

(3) Data transfer caused by the execution of an 5 
instruction at the arithmetic logical operation unit 250 of 
the processor core 201: 

[0099] In the RISC type processor, only the register 
can be the data transfer destination of the operation in- 10 
struction, so that the data transfer in this case can only 
be the data transfer between registers on the register 
file 230. The key pair tag of the transfer destination in 
this case is the tag of the currently effective key pair. 
[0100] Next, a mechanism for protecting data to be *5 
concealed in this embodiment will be described. The da- 
ta protection is realized at the tag judgement unit 252 of 
the arithmetic logical operation unit 250, the tag judge- 
ment unit 262 of the memory access unit 260, and the 
instruction execution control unit 223. In any of them, 20 
whether the data transfer is permitted or not is deter- 
mined according to the common tag judgement rules. 
The criteria for the judgement include (1) an identifier 
for specifying the data transfer source, (2) a key pair tag 
attached to the data to be transferred (which will be re- 25 
ferred to as "data tag"), and (3) a key pair tag that the 
transfer destination should have (which will be referred 
to as "transfer destination tag"). 
[0101] The minimum necessary rules for the tag 
judgement related to the data transfer are as listed be- 30 
low. It is also possible to add further rules in form of re- 
fusing the transfer according to the need. Also, the en- 
cryption processing can be applied in conjunction with 
the data transfer if necessary. 

35 

(1 ) The data transfer is permitted when it is the data 
transfer between internal memories where the 
transfer source is the internal cache, only if the data 
tag coincides with the transfer destination tag. Data 

will be transferred as they are, and the data tag will *o 
be added to the transfer destination. 

(2) The data transfer is permitted unconditionally 
when it is the data transfer between internal mem- 
ories where the transfer source is not the internal 
cache, and the data tag is set as the transfer desti- 45 
nation tag. 

(3) The data transfer is permitted unconditionally 
when it is the data transfer from an internal memory 
to an external memory. In this case, data are en- 
crypted by using the encryption key (data key) of 50 
the key pair specified by the data tag. Namely, in 

the case of transferring data from the internal mem- 
ory to the external memory, the data are encrypted 
by using the data key of the key pair specified by 
the data tag at the data encryption/decryption 55 
processing unit 601 first. The instruction fetch is 
used for the reading alone, and there is no operation 
for writing data to the external. 


(4) The data transfer is permitted unconditionally 
when it is the data transfer from an external memory 
to an internal memory. In this case, data are de- 
crypted by using the encryption key of the key pair 
specified by the transfer destination tag. Namely, in 
the case of transferring data from the external mem- 
ory to the internal memory, if it is the data transfer 
caused by the instruction fetch, the data are de- 
crypted by using the program key of the key pair 
specified by the transfer destination tag via the in- 
struction decryption processing unit 501. If it is the 
data transfer caused by something other than the 
instruction fetch, the data are decrypted by using 
the data key of the key pair specified by the transfer 
destination tag via the data encryption/decryption 
processing unit 601. 

(5) The processor of this embodiment will not be in- 
volved when it is the data transfer between external 
memories. Consequently, the data transfer be- 
tween external memories will be carried out similar- 
ly as in the prior art. 

[0102] Next, the context switching which is the basic 
processing of the operating system (OS) will be de- 
scribed with references to Fig. 12 to Fig. 14 for an ex- 
emplary case of processing using the above described 
protection function. As in the above, the exemplary case 
of using the R3000 type processor of the MIPS technol- 
ogies, Inc. will be described below. 
[0103] Here, it is assumed that the encrypted program 
"program-1" is executed in the user mode, at the step 
S1 201 . The program key "progkey-1 " for decrypting that 
program and the data key "datakey-r generated at a 
time of newly registering the program key are stored as 
the key pair in the key pair table 710. This key pair is 
identified by the key pair tag "tag-1". 
[0104] Then, suppose that an exception occurs in the 
processor for reasons such as an interrupt from external 
source. In this case, the processor saves the current val- 
ue of the program counter to the exception recovery reg- 
ister at the step S1203. At this point, the effective key 
pair tag is also saved in the exception recovery register. 
Then, the operation mode of the processor is switched 
from the user mode to the kernel mode at the step 
S1205. The tag value is switched from the tag value of 
the effective key pair to the tag value "tag-K" reserved 
for the kernel mode. By the switching of the operation 
mode and the tag value, the exception processing rou- 
tine that is provided as a part of the OS is activated at 
the step S1207. When the exception processing routine 
is finished, the operation mode is switched to the user 
mode again so as to recover the context at the step 
S1209. 

[0105] Fig. 1 3 shows details of the exception process- 
ing routine of the step S1207. First, a store instruction 
for storing the context of the program that was executed 
when the exception occurred, i.e., the content of the reg- 
ister file 230, into the external memory is executed at 
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the step S1 301 . Also, the key pair specified by the saved 
effective key pair tag (tag-1 ) is read out from the key pair 
management unit 701 to the register file 230 (by the ex- 
isting key pair reading operation) at the step S1303. 
Note that the key pair data read out to the register file 
230 is attached with tag-K because it is data of the OS. 
The read out key pair data is then transferred from the 
register file 230 to the memory at the step S1305. 
[0106] In this series of operations, if the OS carries 
out the arithmetic logical operation with respect to the 
data in the user mode (to which tag-1 is attached) im- 
properly, this operation will not be permitted because of 
the operation limiting condition described above. On the 
other hand, the transfer of the data in the user mode to 
the external is the data transfer permitted by the data 
transfer limiting condition. At this point, the context of 
the user is saved outside of the register file 230, but 
whether it is saved at the data cache (internal memory) 
or it is saved at the external memory depends on the 
state of the data cache. Note however that the saving 
of the context from the register file 230 is already com- 
pleted from a viewpoint of the operation of the OS. Then, 
the interruption processing is executed at the step 
S1307. 

[0107] Fig. 14 shows the user context recovery 
processing (that is, the resuming of the program) after 
the exception processing routine is completed. First, the 
key pair saved in the memory is loaded from the memory 
as data of the OS at the step S1401. Then, this key pair 
is stored as the key pair corresponding to tag-1 in the 
key pair table 71 0 (by the existing key pair writing oper- 
ation) at the step S1403. Next, the context saved in the 
memory is recovered to the register file 230 at the step 
S1405. At this point, the transfer destination tag at- 
tached load instruction is executed, and tag-1 is speci- 
fied as the transfer destination tag. Also, the program 
counter value to be recovered and the effective key pair 
tag (tag-1) are stored into the exception recovery regis- 
ter at the step S1407. Finally, the transition to the user 
mode is made by using the exception recovery instruc- 
tion (ERET instruction in the MIPS-IV) at the step 
S1409, and this completes the context recovery. The da- 
ta transfer in this series of operations is also the data 
transfer permitted by the data transfer limiting condition 
described above. 

[0108] The fact that data attached with tag-1 are pro- 
tected at times of the context saving and recovery can 
be confirmed as follows. First, during the execution us- 
ing the key pair tag other than tag-1 as the effective key 
pair tag, data with tag-1 cannot be a target of the oper- 
ation according to the data transfer limiting condition. 
On the other hand, during the execution of the program 
decrypted by using the program key specified by tag-1, 
the value of the effective key pair tag is tag-1 so that the 
OS cannot ascertain the processing inside the micro- 
processor. When the executed data are transferred to 
the external memory by the interruption or the like, the 
data are encrypted by using the data key of the key pair 


specified by tag-1 , and this data key cannot possibly be 
ascertained without knowing the secret key of the mi- 
croprocessor. Also, at a time of the context recovery, da- 
ta are recovered by the tag attached load instruction, 
5 and this tag is different from the effective key pair tag of 
the OS so that an access from the OS will not be per- 
mitted. Conversely, even if the effective key of the OS 
itself is secretly changed to tag-1 which is the key pair 
tag of the recovered user context, the own instruction 
*o sequence would be decrypted by using the program key 
that is unknown to the OS, so that the OS would have 
to execute the unexpected instructions. 
[0109] In this way, by handling the program key and 
the data key as inseparable key pair, it becomes possi- 

15 ble to conceal the secret data even from the program 
executed in the privileged mode. 
[0110] Referring now to Fig. 15, the second embodi- 
ment of a microprocessor according to the present in- 
vention will be described in detail. 

20 [01 1 1] Fig. 1 5 shows, a configuration of a key pair ta- 
ble 810 to be used in the microprocessor according to 
the second embodiment of the present invention. The 
first embodiment described above uses a method for 
handling one program key and one data key in one-to- 

25 one correspondence relationship, whereas the second 
embodiment uses a method for handling one program 
key and a plurality of data key in correspondence. 
[0112] Under the multi-task environment, there can 
be cases where different types of data processings are 

30 to be carried out for the same one program. In such cas- 
es, there is only one decryption key of the program (pro- 
gram key) but there are separate data keys for encrypt- 
ing/decrypting the processed data. If each one of these 
separate data keys is paired with the program and 

35 stored separately, a huge memory capacity would be re- 
quired. 

[0113] For this reason, in the second embodiment, the 
index of the program key and the index of the data key 
are stored in pair while the program key and the data 

40 key are stored separately. 

[0114] Fig. 15 shows an exemplary configuration of 
the key pair table 810 of the second embodiment, which 
comprises a key table 820 for storing the keys them- 
selves, and a key pair look up table 830 formed by in- 

45 dexes for indirectly looking up the keys. 

[0115] The key table 820 is formed by arrays of entries 
in which the program key and the data keys are entered 
separately. On the other hand, the key pair look up table 
830 indicates the key pairs, but instead of directly storing 

50 the key pairs, it is formed by the index 831-1 of the pro- 
gram key and the index of the data key 831-2. Using 
these indexes, it becomes possible to specify a partic- 
ular program and a plurality of data to be processed by 
this program. For example, in the example of Fig. 15, 

55 these indexes can be used to combine data to be en- 
crypted/decrypted by using the data key #4 and data to 
be encrypted/decrypted by using the data key #5 with 
the same program to be decrypted by using the program 


10 


19 


EP 1 202 150 A2 


20 


key #3. 

[0116] The operations of the key table 820 include the 
following reading operation and writing operation. 

(1 ) Key reading: 5 

10117] The common key of the key entry specified by 
the index given as a parameter is read out from the key 
table 820. 

10 

(2) Key writing: 

[0118] First, one unused key entry is allocated. Then, 
the common key (the program key or the data key) given 
as a parameter is stored into that key entry, and an index f 5 
for specifying the allocated key entry is outputted. 
[0119] The operations of the key pair table 810 are 
basically the same as those of the key pair table 710 of 
the first embodiment. However, as the key pair table 810 
is divided into the key table 820 and the key pair look 20 
up table 830, details of the key reading and writing be- 
come as follows. 

(1 ) Program key reading: 

25 

[0120] This is the reading operation through a port 
connected to the instruction decryption processing unit 
interface 703, in which the key reading operation with 
respect to the key table 820 is carried out by using the 
index of the program key among the keys specified by 30 
the index pair in the key pair look up table 830, and its 
result is outputted. 

(2) Data key reading: 

35 

[0121] This is the reading operation through a port 
connected to the data encryption/decryption processing 
unit interface 704, in which the key reading operation 
with respect to the key table 820 is carried out by using 
the index of the data key among the keys specified by 40 
the index pair in the key pair look up table 830, and its 
result is outputted. 

(3) Key pair reading: 

45 

[0122] This is the reading operation through a port 
connected to the key pair control unit 720, in which both 
the program key and the data key of the key pair spec- 
ified by the index pair in the key pair look up table 830 
are read out from the key table 820 by using the respec- 50 
five indexes, and the obtained two keys are outputted. 

(4) Key pair writing: 

[0123] This is the writing operation through a port con- 55 
nected to the key pair control unit 720, in which the pro- 
gram key and the data key given as parameters are sep- 
arately stored into the key table 820 by the key writing 


operation of the key table 820. The indexes of the key 
entries obtained as a result are stored into the program 
key index and the data key index in the key pair look up 
table 830. 

[0124] The key pair table 810 has interfaces for pro- 
viding the same operation from a viewpoint of the key 
pair control unit 720. Consequently, three operations of 
the key pair control unit 720 including the new key pair 
registration, the existing key pair reading, and the exist- 
ing key pair writing are the same as in the first embodi- 
ment. 

[0125] However, in the second embodiment, the fol- 
lowing operations are added to the key pair table 810 
and the key pair control unit 720 besides the operations 
of the first embodiment, in order to provide a mechanism 
by which one process uses a plurality of data keys. 
[0126] First, the operation to be added to the key pair 
table 810 is as follows. 

* Data key writing: 

[0127] This is the writing operation through a port con- 
nected to the key pair control unit 720, in which the pro- 
gram key index, the data key, and the key pair tag are 
received as parameters. First, the data key is stored into 
the key table 820 by the key writing operation of the key 
table 820. The index of the key entry obtained as a result 
and the program key index received as a parameter are 
respectively stored into the data key index 831-2 and 
the program key index 831-1 of the key pair specified 
by the key pair tag as the index. 
[01 28] Next, the operation to be added to the key pair 
control unit 720 is as follows. 

* New data key registration: 

[01 29] Here, a first key pair tag for specifying the proc- 
ess that owns the data key, a second key pair tag for 
specifying the data key to be newly registered, and the 
key data in which the data key to be registered is en- 
crypted by using the program key of the first key pair tag 
are received from the processor core 201 . The key data 
are stored into the encrypted key pair register 726 even 
though it is not the key pair data. 
[0130] First, the key pair reading operation with re- 
spect to the key table 820 is carried out by using the first 
key pair tag as the index, and the key pair is read out to 
the key pair register 724. 

[0131] The key pair encryption processing unit 725 
decrypts data on the encrypted key pair register 726 by 
using the program key 724-1 on the key pair register 
724 by regarding this data as the encrypted key, and 
stores its result to the data key 724-2 of the key pair 
register 724. 

[0132] The key pair control unit 720 registers the in- 
dex of the program key read out by using the first key 
pair tag and the data key 724-2 of the key pair register 
724 as the key pair by using the data key writing oper- 
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ation of the key pair table 810. 

[0133] By this operation, a new key index pair in which 
the index of the registered data key and the index of the 
program key to be used with that data key are paired 
can be formed. 

[0134] In other words, this is the operation for group- 
ing a plurality of key pairs that share the common pro- 
gram key. Moreover, the encryption processing using 
the program key is required in the operation for adding 
the key pair to the group, so that it is only possible for 
those processes which know the program key. 
[0135] The above described data key registration op- 
eration gives the data encrypted by using the program 
key, but it is also possible to modify this operation such 
that it gives the data encrypted by using another key dif- 
ferent from the program key, such as the public key of 
the processor or another data key. In this case, it is the 
operation for grouping according to another key rather 
than grouping according to the program key, so that it is 
applicable to the situation where the key is to be shared 
among programs. 

[0136] In the first embodiment, a limiting mechanism 
in which the coincidence of the key pair tag values is set 
as a condition for the success of the data transfer and 
the operational manipulation has been described. In the 
second embodiment, the data transfer and the opera- 
tional manipulation are to be permitted for the key pairs 
generated by the same process even if the key pair tags 
are different. Namely, in addition to the key pair tag value 
itself used in the first embodiment, the program key in- 
dex and the data key index of the key pair specified by 
that key pair tag are also used as the criteria forjudging 
whether the data transfer or the operational manipula- 
tion is permitted or not. 

[0137] As for the context switching by the operating 
system, the exemplary case described above for the first 
embodiment is also applicable to the second embodi- 
ment. 

[0138] Note that the first and second embodiments 
have been described above by using configurations 
formed by functional elements, but these functions only 
represent the logical division and do not indicate the 
physical arrangement of the functional elements on the 
processor. For example, the key pair is stored as one 
set in one table in the above embodiments, but the phys- 
ical arrangement on the processor can be such that a 
table storing the program keys is to be provided in a vi- 
cinity of the instruction decryption processing unit while 
a table storing the data keys is to be provided in a vicinity 
of the data encryption/decryption processing unit, for ex- 
ample. 

[0139] As described above, according to the present 
invention, the program key for decrypting the program 
and the data key for encrypting/decrypting the data are 
handled as cryptograph really inseparable pair inside the 
processor, so that it becomes possible for the processor 
to protect processes that actually execute the program, 
without intervention by the operating system. Conse- 


quently, it becomes possible to conceal the secret infor- 
mation of the program not only from other user programs 
but also from the operating system. 
[0140] Also, according to the present invention, a tag 

5 for identifying the process that is a target of the protec- 
tion by the processor is attached to data inside the proc- 
essor so that it becomes possible to carry out the switch- 
ing of processes while maintaining the protection target 
data in the decrypted form within the internal memory. 

10 [0141] Namely, assuming the program encryption key 
distribution scheme using the public key cryptosystem, 
the present invention basically proposes a key manage- 
ment scheme in which the program key (first key) for 
decrypting the encrypted program and the data key 

15 (second key) for encrypting/decrypting data processed 
by this program which is generated by the microproces- 
sor are maintained in correspondence as the key pair. 
[0142] According to this scheme, the microprocessor 
decrypts the encrypted program by using the first key, 

20 generates the second key corresponding to the first key, 
and gives an identifier to a combination of these keys. 
The first key and the second key are written into the key 
pair table as the key pair, and the identifier is used by 
the subsequent processing for the purpose of identifying 

25 this key pair. During the execution of the decrypted pro- 
gram, the identifier given to the key pair of the first key 
used in decrypting this program is indicated. When the 
execution of the decrypted program is to be discontin- 
ued by the interruption or the like, the data processed 

30 by this program is encrypted by using the second key 
corresponding to the current identifier, and saved to the 
external memory or the like. The access right with re- 
spect to the processed data is judged according to the 
coincidence of the key pair such that the protection of 

35 data among processes is guaranteed cryptographically. 
[0143] In order to realize this scheme, the microproc- 
essor of the present invention has an instruction decryp- 
tion processing unit for decrypting the encrypted pro- 
gram by using the first encryption key (program key), a 

40 data encryption/decryption processing unit for encrypt- 
ing/decrypting the data processed by the decrypted pro- 
gram (i.e., the execution state of the process) by using 
the second encryption key (data key), a key pair man- 
agement unit having a first memory region (key pair ta- 

45 ble) for storing the first and second keys in pair, and a 
second memory region (register file) for storing a tag 
(identifier) for identifying this key pair along with data 
related to the program. 

[0144] The program key and the data key are stored 
50 as inseparable pair, and in the case of operating this pair 
from the program side, this key pair can be operated 
only in an encrypted form obtained by using the secret 
key specific to the processor. In this way, it becomes 
possible to make the analysis of the program itself cryp- 
55 tographically difficult and also make the analysis of the 
execution state of the program difficult even from the 
operating system, at a time of executing the encrypted 
program. Also, by attaching a tag for identifying the key 
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pair to each corresponding data, the data transfer using 
the encryption processing can be carried out within a 
range that is minimum necessary for maintaining the se- 
cret. 

[0145] The program key for decrypting the encrypted 5 
program is given by the public key cryptosystem. The 
microprocessor also has a data key generation unit, and 
generates the data key for encrypting/decrypting data 
to be processed by the program decrypted by this pro- 
gram key when the new program key is given. The key 10 
pair generated in this way is stored in the key pair table. 
[0146] The microprocessor has a third memory region 
(system register) for storing the effective key pair iden- 
tifier which is an identifier of the effective key pair that 
is used by the currently executed program. When a tran- f 5 
sition to the kernel mode is made due to the interruption 
or the like while the program is executed in the user 
mode, the effective key pair identifier is switched to a 
specific value indicating the kernel mode. In this way, 
the program of the user mode and the interruption 20 
processing program can be distinguished clearly. When 
the interruption processing program temporarily saves 
the data stored in the second memory region by the pro- 
gram of the user mode to the external, the data encryp- 
tion/decryption processing unit transfers the data to the 25 
external memory by using the encryption key specified 
by the identifier attached to that data. In this way, the 
data can be protected safely even when the exception 
due to the interruption or the like occurs. 
[0147] The key pair table stores a plurality of key 30 
pairs, where each key pair is formed by paring the first 
key (program key) and the second key (data key) in one- 
to-one correspondence. 

[0148] Alternatively, the key pair table may contain a 
look up storage region for storing an index of the first 35 
key and an index of the second key in correspondence, 
and a key storage region for storing the first and second 
keys separately. In this case, the key index itself has a 
small size so that only a small memory capacity is re- 
quired for the look up storage region. Also, the sepa- 40 
rately stored first and second keys are specified by the 
indexes, so that the indexes can be used to specify a 
plurality of key pairs by appropriately combining the pro- 
gram key and the data keys of the processed data, in 
the case where a plurality of different data are proc- 45 
essed with respect to the same one program under the 
multi-task environment, for example. 
[0149] The microprocessor also has a memory ac- 
cess unit connected to the second memory region and 
the third memory region. The memory access unit has 5p 
a data transfer judgement unit for judging whether the 
data transfer is permitted or not according to an identifier 
of the key pair attached to the data to be transferred and 
the effective key pair identifier. 

[0150] The microprocessor also has a logical opera- 55 
tion unit connected to the second memory region and 
the third memory region. The logical operation unit has 
an operation execution judgement unit for judging 


whether the operation execution is permitted or not ac- 
cording to an identifier attached to the operand of the 
operation and the effective key pair identifier. 
[0151] In this way, the safety of the data can be further 
improved by attaching the identifier for identifying the 
key pair to the data to be handled inside the microproc- 
essor, and using the identifier of the key pair attached 
to the data for judging the access right or the operation 
execution possibility at a time of the data transfer or the 
operational manipulation. 

[01 52] The second memory region is formed by a plu- 
rality of entries, and each entry has data related to the 
program and an identifier for identifying the key pair to 
be used for that data. With this configuration, when the 
processing in the kernel mode is requested due to the 
interruption and the effective key pair identifier in the 
third memory region takes a value indicating the kernel 
mode, for example, it becomes possible to encrypt only 
the data of the desired entry and the corresponding 
identifier and save them to the external memory. Name- 
ly, at a time of the interruption occurrence, in addition to 
the saving of the entire data in the second memory re- 
gion, it is possible to save only a part of the data in the 
second memory region. 

[0153] It is also to be noted that, besides those al- 
ready mentioned above, many modifications and varia- 
tions of the above embodiments may be made without 
departing from the novel and advantageous features of 
the present invention. Accordingly, all such modifica- 
tions and variations are intended to be included within 
the scope of the appended claims. 


Claims 

1. A microprocessor, comprising: 

an instruction decryption processing unit con- 
figured to decrypt a program in an encrypted 
form by using a first encryption key; 
a data encryption/decryption processing unit 
configured to encrypt/decrypt data processed 
by the program in a decrypted form by using a 
second encryption key; 
a key pair management unit connected to the 
instruction decryption processing unit and the 
data encryption/decryption processing unit, 
having a first memory region for storing the first 
encryption key and the second encryption key 
in correspondence as a key pair; and 
a second memory region for storing an identifier 
for identifying the key pair, along with related 
data of the program. 

2. The microprocessor of claim 1 , wherein the first en- 
cryption key is given by a public key cryptosystem, 
and 

the key pair management unit has a key gen- 
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eratton unit configured to generate the second en- 
cryption key for encrypting/decrypting data 
processing by the program that is decrypted by us- 
ing the first encryption key when the first encryption 
key is given. 

3. The microprocessor of claim 2, wherein the key pair 
management unit has an encrypted key pair storage 
region for storing the key pair of the first encryption 
key and the second encryption key in an encrypted 
form obtained by using a secret key of the micro- 
processor. 

4. The microprocessor of claim 1, wherein the first 
memory region stores the first encryption key and 
the second encryption key in one-to-one corre- 
spondence. 

5. The microprocessor of claim 1 , wherein the first 
memory region includes a key pair look up storage 
region for storing an index of the first encryption key 
and an index of the second encryption key as a pair, 
and a key storage region for storing the first encryp- 
tion key and the second encryption key separately. 

6. The microprocessor of claim 1 , further comprising: 

a third memory region for storing an effective 
key pair identifier of an effective key pair used 
by a currently executed program, and 
the data encryption/decryption processing unit 
transfers the related data stored in the second 
memory region to an external memory by using 
an encryption key specified by an identifier cor- 
responding to the related data when a value of 
the effective key pair identifier stored in the third 
memory region takes a specific value. 

7. The microprocessor of claim 6, further comprising: 

a memory access unit connected to the second 
memory region and the third memory region, 
the memory access unit having a data transfer 
judgement unit configured to judge whether a 
data transfer is permitted or not according to 
the identifier of the key pair attached to data to 
be transferred and the effective key pair identi- 
fier stored in the third memory region. 

8. The microprocessor of claim 6, further comprising: 


effective key pair identifier stored in the third 
memory region. 

9. The microprocessor of claim 6, wherein the second 
5 memory region is formed by a plurality of entries 
and each entry stores the related data of the pro- 
gram and the identifier for identifying the key pair 
used for the related data, and 

the data encryption/decryption processing 
10 unit transfers a desired data in a desired entry and 
a corresponding identifier in an encrypted form 
when a value of the effective key pair identifier in 
the third memory region takes the specific value. 

15 10. The microprocessor of claim 6, wherein the effec- 
tive key pair identifier stored in the third memory re- 
gion takes the specific value when an exception oc- 
curs. 

20 1 1 . A data protection method for a microprocessor, the 
data protection method comprising: 

decrypting a program in an encrypted form by 
using a first encryption key; 
25 generating a second encryption key corre- 

sponding to the first encryption key, for encrypt- 
ing/decrypting data processed by the program 
in a decrypted form; 

storing the first encryption key and the second 
30 encryption key in correspondence as a key pair; 

giving an identifier for identifying the key pair, 
to the key pair; and 

reading out the second encryption key accord- 
ing to the identifier, encrypting the data by using 
35 the second encryption key and saving the data 

in an encrypted form to an external memory 
when an exception occurs during an execution 
of the program. 

40 12. The data protection method of claim 11, further 
comprising: 

reading out the data in the encrypted form 
saved in the external memory and decrypting 
the data by using the second encryption key ac- 
cording to the identifier, after the exception is 

over. 

13. The data protection method of claim 1 1 , wherein the 
storing step stores the first encryption key and the 
second encryption key in one-to-one correspond- 
ence. 

14. The data protection method of claim 11 , wherein the 
storing step stores an index of the first encryption 
key and an index of the second encryption key as 
a pair, while storing the first encryption key and the 
second encryption key separately. 


a logical operation unit connected to the second 
memory region and the third memory region, 
the logical operation unit having an operation 
execution judgement unit configured to judge 55 
whether an operation execution is permitted or 
not according to the identifier attached to an op- 
erand of an operation to be executed and the 
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15. The data protection method of claim 11, further 
comprising: 

storing the key pair of the first encryption key 
and the second encryption key in an encrypted 5 
form obtained by using a secret key of the mi- 
croprocessor. 

16. The data protection method of claim 11, further 
comprising: 10 

storing an effective key pair identifier of an ef- 
fective key pair used by a currently executed 
program, and 

transferring related data of the program to an 15 
external memory by using an encryption key 
specified by an identifier corresponding to the 
related data when a value of the effective key 
pair identifier takes a specific value. 

20 

17. The data protection method of claim 16, further 
comprising: 

judging whether a data transfer is permitted or 
not according to the identifier of the key pair at- 25 
tached to data to be transferred and the effec- 
tive key pair identifier. 

18. The data protection method of claim 16, further 
comprising: 30 

judging whether an operation execution is per- 
mitted or not according to the identifier attached 
to an operand of an operation to be executed 
and the effective key pair identifier. 35 

1 9. The data protection method of claim 1 6, wherein the 
giving step stores the identifier in a memory region 
formed by a plurality of entries, where each entry 
stores related data of the program and the identifier <o 
for identifying the key pair used for the related data, 
and the data protection method further comprising: 

transferring a desired data in a desired entry 
and a corresponding identifier in an encrypted 45 
form when a value of the effective key pair iden- 
tifier in the third memory region takes the spe- 
cific value. 

20. The data protection method of claim 1 6, wherein the so 
effective key pair identifier takes the specific value 
when an exception occurs. 

21. A carrier medium carrying computer readable in- 
structions for controlling a computer to carry out the 55 
method of any one claims 11 to 20. 
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